LDAP PEAPv0/MSCHAPv2 Authentication

Nicholas Cappelletti nick at switchtower.org
Sun Aug 2 01:24:25 CEST 2009


Hello Everyone,

I know I'll probably be berated with this and be told to read the documentation and the debug messages, but I'm at my whits end with this and would like a little direction, even if it a man page or something in the debug messages I missed.

Okay, 802.1x for wireless works great when I'm using the default config files.  I use the automatically generated cert and create a few users in the users config file.

Here is the debug of that user authenticating:

rad_recv: Access-Request packet from host 192.168.30.4 port 3072, id=0, length=221
Cleaning up request 31 ID 0 with timestamp +213
        User-Name = "nick"
        NAS-IP-Address = 192.168.30.4
        Called-Station-Id = "001217aa3fb7"
        Calling-Station-Id = "001b6301f74e"
        NAS-Identifier = "001217aa3fb7"
        NAS-Port = 56
        Framed-MTU = 1400
        State = 0xac75dd7bab7cc420d50c8e10f23f3553
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0209005b19001703010050e718360d0f11185fd80d47ada34e743f15ee4fe717bd546fdb0905964163642ec8de6d49e13fdaee97c1777c7729e8041f34f305d47aaabc0fc4814e76a3e2e69252faad5440929c8acf736479c90437
        Message-Authenticator = 0x9c1f8ace22588eebd7a7e207c67d2910
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "nick", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 91
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x0209003f1a0209003a3172435718fc889114f133ce5f13aa7e3a00000000000000008cacb226a61d81100b7f0313485b86d7fba9bedb93207397006e69636b
server  {
  PEAP: Setting User-Name to nick
Sending tunneled request
        EAP-Message = 0x0209003f1a0209003a3172435718fc889114f133ce5f13aa7e3a00000000000000008cacb226a61d81100b7f0313485b86d7fba9bedb93207397006e69636b
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "nick"
        State = 0xa4d2ade0a4dbb70aa318d5923f95834c
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "nick", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 9 length 63
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry nick at line 60
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for nick with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message = 0x010a00331a0309002e533d35363630433534303036413841374444344632424236373344374337413542324634464431333331
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa4d2ade0a5d8b70aa318d5923f95834c
[peap] Got tunneled reply RADIUS code 11
        EAP-Message = 0x010a00331a0309002e533d35363630433534303036413841374444344632424236373344374337413542324634464431333331
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa4d2ade0a5d8b70aa318d5923f95834c
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.30.4 port 3072
        EAP-Message = 0x010a005b190017030100506b9a851f88d541fab50c47c1df1b0f06e628cea25b716609ff7d21ffebf29b985165fdd96ab6f1b3dc4c2d5840af2cf164d2239c46fe412099ed9a43c2b6a4671d194f2a97c8a71b46a2194d27b2b16b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac75dd7ba47fc420d50c8e10f23f3553
Finished request 32.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.30.4 port 3072, id=0, length=173
Cleaning up request 32 ID 0 with timestamp +213
        User-Name = "nick"
        NAS-IP-Address = 192.168.30.4
        Called-Station-Id = "001217aa3fb7"
        Calling-Station-Id = "001b6301f74e"
        NAS-Identifier = "001217aa3fb7"
        NAS-Port = 56
        Framed-MTU = 1400
        State = 0xac75dd7ba47fc420d50c8e10f23f3553
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020a002b19001703010020851f2695f1f66ef9a35dcb76dfa176acd5c47a131a8580c47eba67a5df577f00
        Message-Authenticator = 0xdf5e02143bd04f312f52bdd368e70e7a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "nick", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 10 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x020a00061a03
server  {
  PEAP: Setting User-Name to nick
Sending tunneled request
        EAP-Message = 0x020a00061a03
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "nick"
        State = 0xa4d2ade0a5d8b70aa318d5923f95834c
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "nick", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 10 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry nick at line 60
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
} # server inner-tunnel
[peap] Got tunneled reply code 2
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "nick"
[peap] Got tunneled reply RADIUS code 2
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "nick"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.30.4 port 3072
        EAP-Message = 0x010b002b190017030100204c7bbda36687bbec748250a331403e85fcb9bc35f2a071afec4b072eb3cd8cc4
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xac75dd7ba57ec420d50c8e10f23f3553
Finished request 33.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.30.4 port 3072, id=0, length=173
Cleaning up request 33 ID 0 with timestamp +214
        User-Name = "nick"
        NAS-IP-Address = 192.168.30.4
        Called-Station-Id = "001217aa3fb7"
        Calling-Station-Id = "001b6301f74e"
        NAS-Identifier = "001217aa3fb7"
        NAS-Port = 56
        Framed-MTU = 1400
        State = 0xac75dd7ba57ec420d50c8e10f23f3553
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020b002b1900170301002018ce02e38e6c00b421658c4aedcbaa9b965e8c1c089954ec6a1fcc992a1468f8
        Message-Authenticator = 0x48b93f3e89b5fc5a91a3d77f26ae3f35
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "nick", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 0 to 192.168.30.4 port 3072
        MS-MPPE-Recv-Key = 0xa65e123a8723dbf8daff315d9eeefead767d1bf58f191a8cd2f14a3202535776
        MS-MPPE-Send-Key = 0xfc919ac8721cfbf8ce4e09f20a9da90f63e65645ece3c293a878c58d7ae41af2
        EAP-Message = 0x030b0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "nick"
Finished request 34.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 34 ID 0 with timestamp +214
Ready to process requests.


------------------------------------

And here is is when I configure the modules/ldap.  This is with LDAP enabled for authentication in the sites-enabled/inner-tunnel with nothing else changed:

rad_recv: Access-Request packet from host 192.168.30.4 port 3072, id=0, length=121
        User-Name = "zack"
        NAS-IP-Address = 192.168.30.4
        Called-Station-Id = "001217aa3fb7"
        Calling-Station-Id = "001b6301f74e"
        NAS-Identifier = "001217aa3fb7"
        NAS-Port = 56
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x02000009017a61636b
        Message-Authenticator = 0xba6a39bbf4d30c64ad62ca8af7de1e40
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "zack", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.30.4 port 3072
        EAP-Message = 0x0101001604103d559c382e7e5d5dedb960b8107f467e
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x7a53d4d47a52d007e61d2d43d148851e
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.30.4 port 3072, id=0, length=121
Cleaning up request 0 ID 0 with timestamp +34
        User-Name = "zack"
        NAS-IP-Address = 192.168.30.4
        Called-Station-Id = "001217aa3fb7"
        Calling-Station-Id = "001b6301f74e"
        NAS-Identifier = "001217aa3fb7"
        NAS-Port = 56
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x02000009017a61636b
        Message-Authenticator = 0x3fa8484f6dc6f4a9dab5fccb4646fcf5
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "zack", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.30.4 port 3072
        EAP-Message = 0x01010016041082fa9d0faaabc4dbae49e8c8fd2b8081
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0b7341550b724572c83e07f2140503b9
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 0 with timestamp +35
Ready to process requests.


-----------------------------------

Again, I'm prepared to be told to look here or look there.  I just need some guidence. :)

--Nick



More information about the Freeradius-Users mailing list